Mail server hammering

Posted by Rodrigo on Server Fault See other posts from Server Fault or by Rodrigo
Published on 2010-06-04T04:40:36Z Indexed on 2010/06/04 6:10 UTC
Read the original article Hit count: 412

Filed under:
|
|
|

I've noticed a quick increase on smtp connections coming to my server, investigating it further i figured out that there's a botnet hammering my smtp server. I've tried to stop it by adding a rule at iptables:

-N SMTP-BLOCK -A SMTP-BLOCK -m limit --limit 1/m --limit-burst 3 -j LOG --log-level notice --log-prefix "iptables SMTP-BLOCK " -A SMTP-BLOCK -m recent --name SMTPBLOCK --set -j DROP -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTPBLOCK --rcheck --seconds 360 -j SMTP-BLOCK -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTP --set -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTP --rcheck --seconds 60 --hitcount 3 -j SMTP-BLOCK -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

That would avoid them from hammering "too fast", however the problem still, there's like 5 tries per second, it's going insane, i had to incrase the maximum number of childs of sendmail/dovecot. There's too many ips to filter out manually and simply changing the smtp to another port is not practical since i got many other clients on that server.

I'm using sendmail with dovecot, any ideas to have this filtered out more efficiently?

© Server Fault or respective owner

Related posts about iptables

Related posts about sendmail